starter.dev-github-showcases icon indicating copy to clipboard operation
starter.dev-github-showcases copied to clipboard
verified publisher icon thisdot

Bump @apollo/server from 4.2.2 to 4.7.4 in /starter-dev-backend

Open dependabot[bot] opened this issue 2 years ago • 14 comments

Bumps @apollo/server from 4.2.2 to 4.7.4.

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​4.7.4

Patch Changes

  • #7604 aeb511c7d Thanks @​renovate! - Update graphql-http dependency

  • 0adaf80d1 Thanks @​trevor-scheer! - Address Content Security Policy issues

    The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.

    The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.

    Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.

    A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).

  • Updated dependencies [0adaf80d1]:

    • @​apollo/server@​4.7.4

@​apollo/server@​4.7.4

Patch Changes

  • 0adaf80d1 Thanks @​trevor-scheer! - Address Content Security Policy issues

    The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.

    The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.

    Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.

    A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).

@​apollo/server-integration-testsuite@​4.7.3

Patch Changes

@​apollo/server@​4.7.3

Patch Changes

  • #7601 75b668d9e Thanks @​trevor-scheer! - Provide a new configuration option for landing page plugins precomputedNonce which allows users to provide a nonce and avoid calling into uuid functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.

    The example below assumes you've provided a PRECOMPUTED_NONCE variable in your wrangler.toml file.

    Example usage:

    const server = new ApolloServer({
  // ...
  plugins: [

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

4.7.4

Patch Changes

  • 0adaf80d1 Thanks @​trevor-scheer! - Address Content Security Policy issues

    The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.

    The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.

    Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.

    A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).

4.7.3

Patch Changes

  • #7601 75b668d9e Thanks @​trevor-scheer! - Provide a new configuration option for landing page plugins precomputedNonce which allows users to provide a nonce and avoid calling into uuid functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.

    The example below assumes you've provided a PRECOMPUTED_NONCE variable in your wrangler.toml file.

    Example usage:

    const server = new ApolloServer({
  // ...
  plugins: [
    ApolloServerPluginLandingPageLocalDefault({
      precomputedNonce: PRECOMPUTED_NONCE,
    }),
  ],
});

4.7.2

Patch Changes

  • #7599 c3f04d050 Thanks @​trevor-scheer! - Update @apollo/utils.usagereporting dependency. Previously, installing @apollo/gateway and @apollo/server could result in duplicate / differently versioned installs of @apollo/usage-reporting-protobuf. This is because the @apollo/server-gateway-interface package was updated to use the latest protobuf, but the @apollo/utils.usagereporting package was not. After this change, users should always end up with a single install of the protobuf package when installing both @apollo/server and @apollo/gateway latest versions.

4.7.1

Patch Changes

  • #7539 5d3c45be9 Thanks @​mayakoneval! - 🐛 Bug Fix for Apollo Server Landing Pages on Safari. A Content Security Policy was added to our landing page html so that Safari can run the inline scripts we use to call the Embedded Sandbox & Explorer.

4.7.0

Minor Changes

... (truncated)

Commits
  • 4dd276a Version Packages (#7609)
  • 0adaf80 Merge pull request from GHSA-68jh-rf6x-836f
  • 2f4b034 Version Packages (#7602)
  • 75b668d Allow landing page to be configured with a precomputed nonce (fix for CF work...
  • 51b79ac Version Packages (#7600)
  • c3f04d0 Update @apollo/utils.usagereporting dependency (#7599)
  • 0233a2d Update codegen types and enforce keeping types up-to-date (#7580)
  • 5ab08c1 Version Packages (#7541)
  • 3f7eaed update tests
  • 7927a3f Update packages/server/src/tests/plugin/landingPage/getEmbeddedExplorerHT...
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot[bot] avatar Jun 16 '23 19:06 dependabot[bot]

Deploy Preview for angular-ngrx-scss canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/angular-ngrx-scss/deploys/648cbb1beba9d3000820987c

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for cra-rxjs-styled-components canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/cra-rxjs-styled-components/deploys/648cbb1b4555720008830983

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for angular-apollo-tailwind canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/angular-apollo-tailwind/deploys/648cbb1baec7f000083b79cf

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for next-react-query-tailwind canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/next-react-query-tailwind/deploys/648cbb1b7cbd0d0008bebb83

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for solidjs-tailwind canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/solidjs-tailwind/deploys/648cbb1b382f8f0008b3f767

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for nuxt-pinia-tailwind canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/nuxt-pinia-tailwind/deploys/648cbb1b6f79bc00083e3ae6

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for vue3-apollo-quasar canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/vue3-apollo-quasar/deploys/648cbb1baec7f000083b79d4

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for starter-dev-backend ready!

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/starter-dev-backend/deploys/648cbb1b400cc40008535203
Deploy Preview https://deploy-preview-1825--starter-dev-backend.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for remix-gql-tailwind canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/remix-gql-tailwind/deploys/648cbb1ba13c790007902323

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for solidstart-tanstackquery-tailwind-mod canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/solidstart-tanstackquery-tailwind-mod/deploys/648cbb1bf970b600084c2c10

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for expo-zustand-styled-components canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/expo-zustand-styled-components/deploys/648cbb1b0aef300007617a9a

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Jun 16 '23 19:06 sonarqubecloud[bot]

Deploy Preview for qwik-graphql-tailwind canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/qwik-graphql-tailwind/deploys/648cbb1b3e6c8c0008ae3ff1

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]

Deploy Preview for svelte-kit-scss canceled.

Name Link
Latest commit 7a23b7c7a24eeebedff3de33be26eafba172a0f1
Latest deploy log https://app.netlify.com/sites/svelte-kit-scss/deploys/648cbb1b8ce8b5000887a1ce

netlify[bot] avatar Jun 16 '23 19:06 netlify[bot]